AgentMem
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: agentmem Version: 2.4.0 The skill provides cloud memory for AI agents, and all network interactions are directed to the legitimate `api.agentmem.io` service. The `SKILL.md` file contains instructions for the AI agent to store and retrieve its own memories and user preferences, which is directly aligned with the skill's stated purpose. There is no evidence of data exfiltration (beyond the agent's own memory data to the service), malicious execution, persistence, or prompt injection attempts designed to subvert the agent's core function or exfiltrate unrelated sensitive data. The `demo.sh` script is a straightforward demonstration of the API.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or sensitive information learned during conversations could be stored remotely and later reused by the agent; stale or manipulated memories could influence future behavior.
The skill directs the agent to automatically persist and reuse potentially sensitive session context, preferences, facts, and decisions in cloud memory, but does not provide clear consent, filtering, or trust-boundary instructions.
On session start: ... Retrieve your stored context automatically ... When you learn something important: Store it ... Examples: user preferences, learned facts, decisions made ... Flush critical context to AgentMem
Require explicit user approval before storing or retrieving memories, avoid secrets and personal data, define allowed memory categories, and treat retrieved memories as untrusted context.
If used for real context rather than testing, memories may have unclear access controls and could be accidentally exposed or polluted through the cloud memory channel.
The documented no-key read/write flow uses an agent-name header and persists data, but the artifacts do not explain how memories are isolated, authenticated, or protected from unintended reads/writes.
No API key, no signup, no config. ... Your data persists for 7 days ... curl "https://api.agentmem.io/v1/memory/hello" -H "X-Agent-Name: YOUR_AGENT_NAME"
Use a scoped API key for any non-test data, avoid storing sensitive content in the no-key demo mode, and confirm the provider’s access-control and deletion behavior before enabling automatic memory use.